Support Center > Search Results > SecureKnowledge Details
SandBlast Agent for Linux Technical Level
Solution
Solution Brief 

SandBlast Agent for Linux protects Linux Endpoint Machines from malware and allows threat hunting EDR capabilities. The solution is centrally managed and can be used as a Management-As-A-Service or deployed on a local on-prem server.

Note: Starting from R81, SandBlast Agent for Linux is supported EPS On-Prem or EPS Cloud Management.

Key threat prevention technologies:

1. Anti-Malware
  • SandBlast Agent Linux Anti-Malware engine detects trojans, viruses, malware, and other malicious threats
  • Implemented as a multi-threaded flexible scanner daemon
  • Managed centrally via a web-console and also supports Command Line Utilities for on-demand file/folder scans, detection lists and file restorations
Featuring:
  • Automatic signature updates
  • Smart version updates - always up to date

2. Endpoint Detection and Response (EDR) / Threat-Hunting
  • Collects all Linux raw events whether malicious, suspicious or benign for full visibility
  • Allows proactively searching for cyber threats that made it through the first line of defense and to the Linux Servers
  • Easy investigation capabilities, such as predefined queries to find suspicious activities

Supporting the following events:
  • Process - start / stop
  • Files - create / delete / rename / open
  • Network - local connections, ports, DNS

Getting Started Guide

Click here for the complete product guide (check the Sandblast Agent for Linux section)

Supported Linux Versions

Distribution OS Version
Ubuntu 16.04
18.04
20.04
Debian 9.12 - 10.5
RHEL 7.8 - 8.3
CentOS 7.8 - 8.3
Oracle Linux 7.9 - 8.3

Prerequisites
:
URLs and domains that should be whitelisted:
  • https://secureupdates.checkpoint.com/sbalinux
  • https://s3.amazonaws.com/download.draios.com
  • https://download.sysdig.com
  • https://gwevents.checkpoint.com/gwstats/services/antimalware/1_0_0/log
  • Access to each distribution standard repositories - url is not constant, mirror is chosen based on latency
  • for RHEL/CentOS also need access to EPEL (extra packages for enterprise Linux) repository**
  • if working with EP MaaS - please allow connection for Management server:
    https://*.epmgmt.checkpoint.com.
    Customers can use precise URL containing tenant name in FW rules
  • Anti Malware signature update URL:
    http(s)://cplinuxam.checkpoint.com
    Signatures source can be configured in AM policy
  • Threat Hunting URLs:
  • https://dev-cloudinfra-gw.kube1.iaas.checkpoint.com/auth/external
  • https://us-east4-chkp-gcp-rnd-threat-hunt-box.cloudfunctions.net/stg-gcp-contractprovider
  • https://europe-west1-datatube-stg-244010.cloudfunctions.net


Known Limitations

Topic Description
Web Management Capabilities field shows N/A (not showing the installed blades)
AntiMalware On-Access AntiMalware is triggered on-access only for /home folder
AntiMalware Root-User Files accessed by root users (sudo) will not be scanned
AntiMalware Exclusions Supported path exclusions only
AntiMalware Signatures update Supported by a direct internet connection from the Linux client. Management server as a proxy is not supported.
AntiMalware RAR/Zip RAR/Zip archives are not supported.
ThreatHunting Exclusions  Supported process path exclusions only by path.
Supported environments 32/64 bit Product supports 64 bit OS only and doesn't support 32 bit.
Pending kernel updates If an OS kernel update is pending for installation, the Linux client installation may fail.
Linux Secure Boot is not supported Threat Hunting engine is not supported when Linux Secure Boot is enabled.
Compatibility with other AM providers  Any other (non= Check Point) Anti Malware engines should be removed from the machine before installing Linux agent
OS upgrade OS upgrade is not supported - client will need to re-install the Linux agent after OS upgrade

 

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment